alphaspirit - Fotolia


Rely on cloud security policy -- not tools -- to protect AWS

AWS boosted its security management offerings at re:Invent, but the cloud provider's shared responsibility model means developers must be attentive and implement policies.

When enterprises move workloads to a cloud infrastructure, they turn to tools to help enforce a cloud security policy and manage incident response. But many of those tools are inadequate. Configuration can be confusing, with important details often spread across different management screens, resulting in the need for a complicated, multistep process to build a consistent cloud security policy across the cloud service stack.

IaaS and its fully abstracted services bring several security benefits, such as the ability to microsegment networks and services with application-specific firewalls and granular access controls, central visibility and management of all resources, and hardened infrastructure designed and operated by experts. But securely using the cloud requires ample planning, some new management processes and learning new tools.

User privileges and resource access controls can be specified with incredible precision in the cloud, but that granularity is a mixed blessing. Although a cloud security policy can be defined and audited more precisely, the complexity it creates means cloud security is often poorly implemented, leaving unintended gaps and backdoors.

Cloud users remain concerned about security in general. Industry research and public comments show that some of the biggest perceived cloud security threats include unauthorized access, hijacking of accounts or services, malicious insiders and insecure APIs. One way to close the cloud security gap is for both public and private cloud services to provide the ability to set and enforce a consistent cloud security policy across clouds.

When properly configured, existing cloud security management tools can address these needs and deficiencies. But it's easy to make mistakes. The good news is that cloud vendors are addressing these problems with new services that promise to centralize, automate and simplify cloud security management.

The virtual, ephemeral nature of cloud services is both a boon to security and a source of management headaches. Cloud users can easily insert security services and control points between every layer of the infrastructure, but the ease with which cloud instances can be deployed, moved and destroyed also makes it difficult to keep track of the security policies and configurations applied to each one. Management complexity and security compliance received major attention during AWS and Microsoft events last fall, with each cloud provider unveiling new features and trying to educate customers.

New AWS security management measures

At AWS re:Invent 2015, the cloud provider announced two new security services and improved security on an existing product. The AWS Web Application Firewall is a new tool that's useful, but hardly groundbreaking; the other two products squarely tackled the problem of overly complex security administration. These new services complement AWS Trusted Advisor, which analyzes an environment to identify ways to improve performance, security and reliability to reduce cost.

Amazon Inspector audits security compliance by comparing the configuration of server instances, networks and storage against a knowledge base of hundreds of rules, looking for violations of best practices and standards like PCI DSS. These include potential issues like allowing remote root logins, unpatched software with known vulnerabilities or leaving network ports unnecessarily open. Inspector generates a prioritized report of each violation and suggests remediation steps.

AWS Config Rules is an improvement to AWS Config, which adds templates and guidelines using a mix of prebuilt AWS best practices and a user's custom rules to flag errors in provisioning and configuring resources. The service continuously monitors the environment to ensure resources remain compliant. Example rules include mandating that volumes are encrypted, all Elastic Compute Cloud instances are tagged properly and that CloudTrail is enabled on all resources to log API calls.

AWS users should sign up for Amazon Inspector and AWS Config Rules previews and build test environments up to the limitations of the respective beta programs. Since both AWS products rely on tags, users should be vigilant in categorizing resources with a consistent schema that maps to meaningful categories like business unit, primary owner, application, security level, stack tier and so on. Currently, both products are in preview release, which limits deployment size and regions; the company has not indicated when the products will be generally available.

New Microsoft Azure security measures

One of the major announcements out of Microsoft's AzureCon event was Azure Security Center, a service that consolidates security management and monitoring under a single portal. For example, admins can quickly see if VM images and configurations are up to date, configured according to predefined standards or Microsoft guidelines and running necessary security software. From the same portal, admins can also check on network and database settings like ensuring that virtual networks are members of the correct security groups and have properly set access control lists or whether SQL databases are encrypted.

Security Center also draws upon threat intelligence data Microsoft collects from all Azure deployments and notifies customers of unusual or threatening activity. For example, Microsoft has built a reputation database of known bad sites, such as those part of botnet control networks.

Security Center is Microsoft's platform for connecting third-party security products like next-generation firewalls, vulnerability monitors (IDS/IPS) and others from Azure's ecosystem of service partners. Consolidating built-in and third-party security products under one umbrella simplifies both deployment and ongoing management.

Azure customers can become familiar with Security Center by viewing the online video training and tutorials and setting up some test resources to get hands-on experience with the new features. Like the new AWS offerings, Security Center is currently in preview release and not ready for production workloads.

New Google Cloud security measures

Although not as ambitious as its competitors' new services, Google has recently automated a key security task, vulnerability scanning, for its platform as a service App Engine customers. The company's Security Scanner "… crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible," according to company documentation. Security Scanner can detect the following vulnerabilities: XSS cross-site scripting), Flash injection, mixed content -- fetching unencrypted HTTP content on an SSL HTTPS page -- and usage of insecure JavaScript libraries.

Next Steps

Mitigate compliance and security risks in AWS

New AWS tools thwart attackers

Security measures to defend an AWS cloud

Dig Deeper on AWS security